Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-4292

RestAPI: can't create new groups in a course

    XMLWordPrintable

    Details

      Description

      Creating new groups in a course with /repo/courses/{courseId}/groups results in a 401 error (not authorized). This patch fixes that: 

      diff --git a/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java b/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java
      index 58623e9..4dc1509 100644
      --- a/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java
      +++ b/src/main/java/org/olat/restapi/repository/course/CourseGroupWebService.java
      @@ -51,6 +51,8 @@
       import org.olat.core.util.vfs.QuotaManager;
       import org.olat.core.util.vfs.VFSContainer;
       import org.olat.core.util.vfs.VFSManager;
      +import org.olat.course.CourseFactory;
      +import org.olat.course.ICourse;
       import org.olat.group.BusinessGroup;
       import org.olat.group.BusinessGroupService;
       import org.olat.group.model.SearchBusinessGroupParams;
      @@ -212,7 +214,8 @@
       	@Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
       	@Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
       	public Response putNewGroup(GroupVO group, @Context HttpServletRequest request) {
      -		if(!RestSecurityHelper.isGroupManager(request)) {
      +		ICourse icourse = CourseFactory.loadCourse(course.getResourceableId());
      +		if(!RestSecurityHelper.isGroupManager(request) && !RestSecurityHelper.isOwnerGrpManager(icourse, request)) {
       			return Response.serverError().status(Status.UNAUTHORIZED).build();
       		} else if(course == null) {
       			return Response.serverError().status(Status.NOT_FOUND).build();
      diff --git a/src/main/java/org/olat/restapi/security/RestSecurityHelper.java b/src/main/java/org/olat/restapi/security/RestSecurityHelper.java
      index 8804b11..d67190c 100644
      --- a/src/main/java/org/olat/restapi/security/RestSecurityHelper.java
      +++ b/src/main/java/org/olat/restapi/security/RestSecurityHelper.java
      @@ -79,6 +79,19 @@
       		}
       	}
       	
      +	public static boolean isOwnerGrpManager(ICourse course, HttpServletRequest request) {
      +		try {
      +			Roles roles = getRoles(request);
      +			if(roles.isAdministrator()) return true;
      +			CourseGroupManager cgm = course.getCourseEnvironment().getCourseGroupManager();
      +			UserRequest ureq = getUserRequest(request);
      +			Identity identity = ureq.getIdentity();
      +			return cgm.isIdentityCourseAdministrator(identity) || cgm.hasRight(identity, CourseRights.RIGHT_GROUPMANAGEMENT);
      +		} catch (Exception e) {
      +			return false;
      +		}
      +	}
      +
       	public static boolean isAuthorGrpManager(ICourse course, HttpServletRequest request) {
       		try {
       			Roles roles = getRoles(request);
      

      BTW: The function isAuthorGrpManager() is not used and in this context not correct because an author would get the right to create groups in any course.

        Attachments

          Activity

            People

            Assignee:
            srosse Stéphane Rossé
            Reporter:
            stephan Stephan Clemenz
            Tester:
            Mandy Menzel
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: